Knowing Your Business’s Cybersecurity Awareness Training Level

Author: Craig Pollack Date: Dec 14, 2017 Topics: General Business Owner Blogs, Cybersecurity


BM CEO Ginni Rometty has been quoted as saying, “Cyber crime is the greatest threat to every company in the world.” And, unfortunately, there are WAY too many stats to help back up her claim. Nearly half of all cyber attacks focus on small businesses, and it is estimated that 1 of every 2 large enterprises are targeted multiple times each year.

With the growing number of cybersecurity concerns, ransomware, identity theft, DDoS attacks and hacking attempts taking place in the U.S. and abroad, cyber security is becoming an increasingly worrisome concern for consumers and businesses alike. Cybercrime is forecasted to cost the world a whopping $6 trillion annually by 2021, according to a recent report by Cybersecurity Ventures.

Every company has a level or stage of cybersecurity awareness training for its end-users — whether that level equates to virtually nonexistent processes and procedures, or that a training program is documented and well established. But the question you should be asking yourself is this: Do you know where your company stands? FPA, which offers a cyber security awareness assessment and training program, is here to help you establish a training program that is effective at managing human risk.

Below, I’ve ranked the levels of cybersecurity awareness training programs based on the Security Awareness Maturity Model, which was developed by SANS Securing the Human, a division of the SANS Institute. Maturity, in this case, refers to creating a secure culture — moving beyond just changing behavior — and having the metrics at nearly each stage to back it up.  

Stage One: Non-Existent

This level is for companies still in cybersecurity awareness training “infancy.” They have no established programs, and employees are unaware of how their actions have a direct impact on the organization’s security.

According to the 2016 State of the SMB Cybersecurity Survey of 600 IT leaders in small and midsize businesses (SMBs), 65% of SMBs have a password policy that is not strictly enforced, and 59% report having “no visibility into employee password practices and hygiene.” It is because of these types of lax practices that 50% of SMBs reported being breached in the previous 12 months leading up to the survey.

Stage Two: Compliance-Focused

This level of program is designed to meet specific audit or compliance requirements, and training is limited to being offered on an ad hoc or yearly basis. At a foundational level, employees in an organization are unaware of organizational policies pertaining to cybersecurity, or even their role in protecting the organization’s information assets.

Stage Three: Promoting Awareness and Behavior Change

A program at this level identifies and focuses on training topics that will have the most significant impact. The content is communicated in a positive and engaging way so that employees are encouraged to change their behaviors both at work and home. Additionally, it helps ensure they understand and follow set policies, and actively seek to recognize, prevent, and report any concerns or incidents.

Stage Four: Long-Term Sustainment and Culture Change

This type of program has established leadership support, processes and resources to facilitate and support a long-term life cycle. It includes at least an annual review of its effectiveness and discussion of any updates. The resulting program is an integral part of the organization’s culture and is both engaging and up-to-date.

Stage Five: Metrics Framework

The progress and impact of this mature level program is measured via a robust metrics framework, resulting in a continuously improving system that demonstrates a worthy return on investment. The metrics at this level differ from those at the previous Cyber Security Awareness Model stages in that the metrics at this level support and demonstrate awareness program success.  

The SANS Institute recently released its 2017 Security Awareness Report, which attempts to outline steps and recommendations needed to improve security awareness programs. Their findings are based on the survey responses of 1,084 professionals in 58 countries who helped to build, contribute or manage the security awareness programs at their organizations. Among its findings includes the limited number of full-time employees devoted to security awareness programs, and how effective communication can contribute to security awareness programs either thriving or failing.

As a whole, business owners and IT personnel need to stop blaming end-users and labeling them as “security problems.” It is necessary to identify the roles each of those groups plays in taking or not taking the initiative to implement robust and effective training programs in the first place.

Whether your business is large or small, it’s critical that your company’s user security awareness training becomes a valued and integral part of employees’ work life culture. I've put together a list of questions to ask yourself (or your IT guy) to help assess the security of your business’ network.

Developing a comprehensive and mature cyber security awareness training is often challenging, as the average computer user is relatively uninformed about key cybersecurity concepts. FPA is here to help you address many of the maturity model components and related challenges. As far as managing the security aspects of your technology goes, our clients don't do any of the heavy lifting — our plans are comprehensive, easy to use and, best of all, we run them for you!

Request your free technology review call today to get started.  

What do you think? Has this info been helpful? Let us know in the Comment box below or shoot me an email if you’d like to chat about this in more detail.

New call-to-action

Subscribe here to get our "2 Minute Tuesday" email for valuable tips & tricks!


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.